On 12/13/2011 10:50 PM, Sigbjorn Lie wrote:
Hi,

When adding users or user groups to a netgroup, the format of the netgrouptriple ends up as following:

nisNetgroupTriple: (-,username,ix.test.com)

The extra "-" prevents me from using IPA's netgroups for tcp wrappers using /etc/hosts.allow and /etc/hosts.deny for user access control.

Making the same test with a NIS server, creating the same entry without the "-", works for user access control.

Looking at 389-ds' wiki, the "-" should not be there:
http://directory.fedoraproject.org/wiki/Howto:Netgroups

Is this a configurable setting? Or should I open a ticket?


To answer myself, yes this is configurable.

There is an attribute under "cn=ng,cn=Schema Compatibility,cn=plugins,cn=config", named "schema-compat-entry-attribute". Changing this attribute from:
nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})


To:
nisNetgroupTriple=(%link("%ifeq(\"hostCategory\",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\\\\\"memberHost\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberHost\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"fqdn\\\\\\\")\\\")\")","",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\")","-"),%{nisDomainName:-})

Make the netgroup return correctly, and user-based hosts.allow and hosts.deny works just fine! The entires now look like:
nisNetgroupTriple: (,username,ix.test.com)

This allows me to use the same user group for access to services at Red Hat servers using SSSD/HBAC, and services at Solaris servers using tcp wrappers. SSH in Solaris comes with TCP wrappers built in, so no extra configuration is required. :)


Ticket opened:
https://bugzilla.redhat.com/show_bug.cgi?id=767372


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to